Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Web on Windows won't listen on port 8000

hughkelley
Path Finder
‎02-26-2011 08:41 PM

I have a UAC-enabled Server 2008 R2 machine with Splunk splunk-4.1.7-95063-x64-release installed.

I am using a low-privilege (just the minimum listed in the docs, http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splu...).

This seems fine for splunkd, it can run, open port 8089, and appears to be indexing.

The splunkweb service never opens a port and seems to generate these errors every time it starts. Apparently it wants to query the Service Control Manager.

When I run the service interactively I get a UAC prompt.

Log Name: Security Source:
Microsoft-Windows-Security-Auditing Event ID: 4656 Task Category: Other Object Access Events Level:
Information Keywords: Audit Failure Description: A handle to an object was requested.

Subject: Security ID: xxx\service-splunk Account Name: service-splunk Account Domain: xxx Logon ID: 0x15cb85

Object: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: 0x0

Process Information: Process ID: 0x204 Process Name: C:\Windows\System32\services.exe

Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Connect to service controller Create a new service Enumerate services Lock service database for exclusive access Query service database lock state Set last-known-good state of service database Access Reasons: - Access Mask: 0xf003f Privileges Used for Access Check: - Restricted SID Count: 0

Tags (2)
0 Karma
Reply

hughkelley
Path Finder
‎02-28-2011 11:03 AM

Port 8000 isn't in use by anybody else.

I haven't tried disabling UAC since that's a no-go configuration in our environment. I did try running the Python exe interactively (-debug) as the service account. That's when I saw the UAC prompt.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-26-2011 09:07 PM

Have you tried re-entering the password for the service account in the Services Control panel?

0 Karma
Reply

hughkelley
Path Finder
‎02-28-2011 11:00 AM

Yes, the service runs fine when I make the account a local administrator, so the username and password are fine.

I feel pretty confident this is a Windows UAC issue. The documentation seems to indicate that this (non-admin) configuration can be made to work.

Has anybody else gotten it going?

0 Karma
Reply

southeringtonp
Motivator
‎02-26-2011 08:59 PM

What user is SplunkWeb running as? LocalSystem? If you (temporarily) disable UAC, does it make any difference? If you run netstatn -an -p tcp, is port 8000 used for anything else?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...